How to fix Office 365 AADSync SMTP/UPN matching issues


I recently had to fix some issues with DirSync. For some reason (there were some cloud users created before DirSync was enabled) there were duplicate users, because DirSync failed to match the already present cloud user and the corresponding AD (Active Directory) user. There were also accounts that failed to sync and thus failed to sync all attributes properly.

If there is already a cloud account and there is need for a synced account, you can create an AD account in DirSynced OU’s. But be sure to create the user with a full UPN matching the one in Office 365 and SMTP addresses that are present on the Cloud account. With the next sync it should match both accounts. If not, it fails matching and you end up with either duplicate accounts (one cloud user and a DirSynced user with the same name/lastname/displayname) or get an InvalidSoftMatch.

When UPN/SMTP matching failed you can merge those accounts again by setting the ImmutableID on the Office 365 account (MsolUser) which is derived from the AD user’s ObjectGuid. You can only add this attribute to Office 365 accounts. After this is set, DirSync should match the accounts correctly.

When there are duplicates:
1. Remove user from DirSync (move to OU which is not synced, will only work when OU Filtering is used. If not, disable DirSync…).
2. Perform DirSync.
3. Remove duplicate synced user (NOT cloud user):
Remove-MSOLuser -UserPrincipalName <UPN> -RemoveFromRecycleBin
4. Add ImmutableID from AD user to Cloud user
$guid = (get-Aduser <username>).ObjectGuid
$immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
5. Connect to AD Azure(Connect-MSOLService when AD Azure Powershell Module is installed).
Set-MSOLuser -UserPrincipalName <clouduserUPN> -ImmutableID $immutableID
6. It’s possible that the clouduserUPN must be changed to the <tenant>.onmicrosoft.com format. It should be changed by DirSync to correspond with the AD UPN.
7. Place account back in correct (synced) AD OU.
8. Manually start off a sync on the DirSync Server.  
C:\Program Files\Windows Azure Directory Sync\DirSyncConfigShell.psc1
Start-OnlineCoexistenceSync  
Start-OnlineCoexistenceSync -Full

When you have an InvalidSoftMatch (SMTP Address matching doesn’t work because SMTP address already exists in Cloud):
Within the MIISClient.exe on the DirSync server, you can check for errors. In this case the account wasn’t properly matched:

 
1. Add ImmutableID from AD user to Cloud user:
$guid = (get-Aduser <username>).ObjectGuid
$immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
2. Connect to AD Azure (Connect-MSOLService when AD Azure Powershell Module is installed)
Set-MSOLuser -UserPrincipalName <clouduserUPN> -ImmutableID $immutableID
3. It’s possible that the clouduserUPN must be changed to the <tenant>.onmicrosoft.com format. It should be changed by DirSync to correspond with the AD UPN.
4. Then perform a sync as described in the previous section.

See also:
One or more objects
don’t sync when using the Azure Active Directory Sync tool http://support.microsoft.com/kb/2643629/en-us
How to use SMTP
matching to match on-premises user accounts to Office 365 user accounts for directory synchronization http://support.microsoft.com/kb/2641663/en-us

 

Comments (1)

  1. Jose Fernando Castaño Carmona says:

    Saved my life! tks for this article

    worked like a charm

Skip to main content